Re: Package management unsafe?
Maybe a check should be added to APT to flag a warning if there has been no updates for a significant period of time? That way if a mirror ever does that, its more detectable.
On Fri, Jul 11, 2008 at 8:55 AM, Steinar H. Gunderson <firstname.lastname@example.org> wrote:
> On Fri, Jul 11, 2008 at 07:36:44AM -0500, Ron Johnson wrote:
>> What are people's thoughts on this?
> It's been known for quite a while. (I asked one of the guys publishing it,
> and he was fully aware of that, but felt it was still important to bring
> light to it.)
> In any case, it's pretty hard to exploit as long as you have security updates
> on a different (trusted) server. The best thing you can do is DoS the process
> so the user's package management software crashes, or simply never update
> your mirror so users don't get updates.
> /* Steinar */
> Homepage: http://www.sesse.net/
> To UNSUBSCRIBE, email to debian-devel-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact email@example.com